Research Saturday 11.11.17
Ep 9 | 11.11.17

Taiwan Bank Heist and Lazurus Group with BAE's Adrian Nish — Research Saturday


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday.

Dave Bittner: [00:00:07] I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:23] I'd like to tell you a little bit about our sponsor, Cybrary, the people who know how to empower your security team. Cybrary is the learning and assessment tool of choice for IT and security teams at today's top companies. They deliver the kind of hands on training fifty-five percent of enterprises say is the most important qualification when they're hiring. And once you hire, you want to retain. And Cybrary helps there too, because seventy percent of employees say professional development is a big reason for staying on board. Visit, and see what they can do for your organization. Not only is it effective, it's affordable too, costing just about a twelfth of what legacy approaches to training would set you back. So contact Cybrary for a demo. That's, and tell them the CyberWire sent you.

Adrian Nish: [00:01:20] So Bangladesh Bank was a watershed moment for the financial industry.

Dave Bittner: [00:01:25] That's Dr. Adrian Nish, head of cyber threat intelligence at BAE Systems. His team has been tracking a new cyber-enabled bank heist in Asia. Some of the tools used are reminiscent of the Bangladesh Bank attack from February 2016.

Adrian Nish: [00:01:40] It was a case where attackers had managed to do APT-style intrusion, both into the bank and then into their payment system. And rather than a classical APT case of stealing information, this was all about stealing money. So the attackers, when they were on the payment system, attempted to transfer about $950M US dollars from Bangladesh Bank's accounts in the Federal Reserve in New York to accounts in Sri Lanka and the Philippines. Not all of that was successful, they got about $81M US dollars.

Adrian Nish: [00:02:16] But the other interesting thing was, they deployed quite sophisticated malware to cover their tracks, so basically tampering with the local SWIFT servers that the bank were using, in order to delete the evidence efficiently and basically cover up their tracks. And this was the first time we, or others in the community, had seen anything like this deployed, and it was a, I guess, a forewarning for what was to come in the months going forward from that.

Dave Bittner: [00:02:45] And this was attributed to the Lazarus Group. What can you tell us about them?

Adrian Nish: [00:02:50] The name Lazarus is one that came from a white paper that was released last year, which detailed this threat actor that's been in operation probably about a decade, and they've got a long history of attacks against South Korea, but also some high-profile cases, such as the Sony Pictures attack in 2014. As Sony Pictures were, of course, producing a movie in 2014, depicted the assassination of a North Korean leader, and this group got into Sony Pictures network and destroyed a large number of machines across the network, and released sensitive e-mails in order to embarrass their executive.

Adrian Nish: [00:03:30] The group has since been linked to attacks on, for example, media companies in the UK. Plus, of course, the string of bank intrusions and cyber-heist activity. We don't have any smoking gun evidence about who's behind it, but, you know, the links back to North Korea are certainly significant.

Dave Bittner: [00:03:49] And so when did this new attack first come on your radar?

Adrian Nish: [00:03:52] We heard about this, um, I think it was the 6th of October. So just a few days after the attack happened, initial reports came out in local media in Taiwan about a bank having suffered a heist, and also then ransomware being deployed on the bank's network. And I guess over the days after that, it became a bit more clear that, again, this had involved a, uh, attack on the local SWIFT system within FEIB, the bank in Taiwan. And the ransomware component had actually been just a cover up, or a distraction for that attack against the SWIFT system.

Dave Bittner: [00:04:38] So take us through step by step. What did you all discover here?

Adrian Nish: [00:04:41] Well, like in the case of Bangladesh, we weren't actually hired to do the investigation. How we got the evidence was through samples of malware that had been uploaded to malware repositories of So somebody in Taiwan doing the investigation uploaded these to check if they get detected by antivirus. And once they're uploaded, they're available for researchers. So we had some filters and did some searches, were able to identify this malware that have been uploaded, linked it back to Taiwan, and pulled it apart to understand exactly what had gone on.

Dave Bittner: [00:05:22] So describe for us, what are some of the bits of malware that you found?

Adrian Nish: [00:05:25] So there's kind of two main components. There's this ransomware component that I mentioned earlier, and this is very interesting. It's very typical sort of ransomware, and we're still not sure if it's something the attackers have coded, or perhaps they've they purchased it online. And basically they hard-coded the credentials, administrative credentials for the bank's network, into the malware and used it to spread across the network. And we think it's just a smokescreen. So after they've done the bank heist, they send this malware across the network, creates a lot of noise, distracts the local security team, and gives the attackers more time to get away with the money laundering aspect of the heist.

Adrian Nish: [00:06:14] And then the second components are what link it back to this Lazarus threat group. So these were remote access tools which we'd seen in other activity in cases we investigated last year, and indeed a case this year in Poland, which we were also able to link back to the Lazarus Group. Probably just used for remote access, but almost certainly part of this bank heist.

Dave Bittner: [00:06:39] So can you describe to us, what did these files contain?

Adrian Nish: [00:06:43] So the ransomware component basically has a dropper, so this is what's used to load the ransomware, and also helps it to spread across the network. so it's got those hard-coded credentials. The ransomware itself will pop up a message demanding payment in bitcoin, very similar to other ransomwares that we've investigated. The interesting thing with the remote access tool that we investigated is that it actually contains commands that are written in Russian language. And we think it's a false flag by the attackers. There's no good reason to use these particular words. They put them in probably to try and mislead researchers. We're pretty confident, though, that the code links back to the Lazarus threat group.

Dave Bittner: [00:07:33] And so, in terms of being able to get in and infiltrate this SWIFT system, what was going on there?

Dave Bittner: [00:07:41] There's not a lot in the public domain about exactly what happened, and it may be that more information comes to light as the investigation unfolds. But what we'd assume is something similar to what happened in Bangladesh, which is that the attackers would have had administrator-level credentials--and we know that they did, we can see that in the ransomware--and with these admin credentials they can move on to the SWIFT server, assuming there's no segregation in the network, so they can use those credentials to access the environment.

Adrian Nish: [00:08:13] And then, in Bangladesh, what they did was they actually subverted some of the payment systems. So rather than just using the legitimate functionality that is there, they used those administrative credentials to actually modify parts of the software that's running, used this to subvert it, send the payments, cover up the evidence of what happened.

Adrian Nish: [00:08:36] This group is also pretty efficient at deleting evidence after themselves. So they, they'll often use cleanup tools to hamper the forensic investigation. So wiping out some of their previous malware, some of their log files, deleting event logs, all this sort of stuff.

Dave Bittner: [00:08:54] And have they been successful in getting away with the cash?

Adrian Nish: [00:08:58] It doesn't seem so. The bank, to their credit, they must have realized that the ransomware was a smokescreen, and that the cyber heist was in fact the real attack. We don't know exactly what happened, but we would imagine they got in touch with the beneficiary banks where the money had been sent to, and had the money frozen before anybody was able to move it.

Adrian Nish: [00:09:22] Interestingly, there were reports in the public domain of an individual in Sri Lanka who was arrested attempting to cash out some of the money. Now, we don't believe that this is necessarily one of the kingpins behind the attack. It's possible that this individual was being manipulated by the real attackers, a so-called money mule, or intermediary to move the money.

Dave Bittner: [00:09:48] So what are your recommendations to help people protect against this sort of thing?

Adrian Nish: [00:09:53] So, lots of usual security-hardening recommendations, such as controlling admin access, segregating networks, plus some kind of longer-term recommendations around pen-testing, using the techniques that these attackers are known to deploy. And also looking at SWIFT's Customer Security programs, so their 27 Controls program, which all banks who are using SWIFT systems will have to attest to by the end of the year. The recommendations are based off of real attacks being investigated, and the findings are very useful advice for organizations that need to harden their environments.

Dave Bittner: [00:10:38] I was interested, one of the bits of malware that you analyzed contained a polyglot file. Can you describe to us what that is and how that worked?

Adrian Nish: [00:10:47] Yeah, so the attackers, in the ransomware component, they have this two-stage, so a dropper or spreader, which is used to spread the malware around the network, and that uses the hard-coded admin credentials. And then it loads the payload. And the payload, they've obfuscated within a bitmap image. Again, it's probably unnecessary to do it, the malware author may believe this makes analysis more difficult, and that's probably true in the case of automated analysis systems, but a skilled malware analyst will easily be able to spot that this wasn't a legitimate bitmap, and they can pull the payload out of the file from there.

Dave Bittner: [00:11:35] In terms of the sophistication of this group, what's your estimation? How sophisticated are they?

Adrian Nish: [00:11:42] Yeah, it's a difficult point to rate attackers on sophistication. I would say they've got strengths and weaknesses. Certainly some of their strengths are how they clean up the evidence after themselves. They seem to put a lot of effort into deleting both their own malware from the system, any logs, any output, plus any, like I said, event logs or other artifacts from disk. However they don't use zero-day exploits, they don't use rootkit malware. There are elements of their attack that are quite clever and make it difficult to investigate, there are other aspects that are more basic by comparison to maybe higher, nation-state actors.

Dave Bittner: [00:12:27] Our thanks to Dr. Adrian Nish for joining us. You can find the complete report about the Taiwan heist and the Lazarus tools and ransomware on the BAE Systems Threat Research blog.

Dave Bittner: [00:12:38] And thanks again to our sponsor, Cybrary, for making this edition of Research Saturday possible. Visit, and see what they can do for your organization. Don't forget to check out our CyberWire Daily News Brief and podcast, along with interviews, our glossary, and more on our website, The CyberWire Research Saturday is produced by Pratt Street Media. Our coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.